git: abdc47cd6969 - stable/13 - bhyve: Fix a buffer overread in the PCI hda device model.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 26 Jan 2023 22:35:10 UTC
The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=abdc47cd6969a649ee7b4bec0efe0d51bc95dfdb commit abdc47cd6969a649ee7b4bec0efe0d51bc95dfdb Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2023-01-20 17:58:38 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2023-01-26 22:29:06 +0000 bhyve: Fix a buffer overread in the PCI hda device model. The sc->codecs array contains HDA_CODEC_MAX (15) entries. The guest-supplied cad field in the verb provided to hda_send_command is a 4-bit field that was used as an index into sc->codecs without any bounds checking. The highest value (15) would overflow the array. Other uses of sc->codecs in the device model used sc->codecs_no to determine which array indices have been initialized, so use a similar check to reject requests for uninitialized or invalid cad indices in hda_send_command. PR: 264582 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: corvink, markj, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D38128 (cherry picked from commit cf57f20edcf9c75f0f9f1ac1c44729184970b9d9) --- usr.sbin/bhyve/pci_hda.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bhyve/pci_hda.c b/usr.sbin/bhyve/pci_hda.c index bb8fba1a54bb..9e9d7ab5a626 100644 --- a/usr.sbin/bhyve/pci_hda.c +++ b/usr.sbin/bhyve/pci_hda.c @@ -475,12 +475,14 @@ hda_send_command(struct hda_softc *sc, uint32_t verb) struct hda_codec_class *codec = NULL; uint8_t cad = (verb >> HDA_CMD_CAD_SHIFT) & 0x0f; - hci = sc->codecs[cad]; - if (!hci) + if (cad >= sc->codecs_no) return (-1); DPRINTF("cad: 0x%x verb: 0x%x", cad, verb); + hci = sc->codecs[cad]; + assert(hci); + codec = hci->codec; assert(codec);